Back

Enable two-factor authentication for identifying and authenticating Wireless Local Area Network users.


CONTROL ID
04595
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Configure Wireless Access Points in accordance with organizational standards., CC ID: 12477

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Banks should ensure all wireless traffic leverages at least AES encryption used with at least WPA2 protection. Banks should ensure wireless networks use authentication protocols such as EAP/TLS or PEAP, which provide credential protection and mutual authentication. (Critical components of information security 28) xi., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Banks should ensure wireless clients use strong, multi-factor authentication credentials to mitigate the risk of unauthorized access from compromised credentials. (Critical components of information security 28) xii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Implementation of mutual authentication of user and authentication server and survey needs to be done before location of access points to ensure that signals are confined within the premise as much as possible (Critical components of information security 28) xvi. Bullet 5, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Re-establishment of any session after interruption should require normal user identification, authentication, and authorization. Moreover, strong server side validation should be enabled. (Critical components of information security g) iii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Has two-factor authentication been employed? (Table Row XIII.11, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the organization use two-factor authentication on all wireless devices? (Table Row XIII.20, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The control system shall provide the capability to identify and authenticate all users (humans, software processes or devices) engaged in wireless communication. (5.8.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • The control system shall provide the capability to uniquely identify and authenticate all users (humans, software processes or devices) engaged in wireless communication. (5.8.3.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • The network device shall provide the capability to uniquely identify and authenticate all users (humans, software processes or devices) engaged in wireless communication. (15.2.3 (1) ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • A network device supporting wireless access management shall provide the capability to identify and authenticate all users (humans, software processes or devices) engaged in wireless communication. (15.2.1 ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • There should be documented standards / procedures for controlling wireless access to the network, which cover methods of limiting access to authorized users. (CF.09.06.02b, The Standard of Good Practice for Information Security)
  • Wireless access should be protected using layers of Access Control, including Network Access Control (e.g., IEEE 802.1X). (CF.09.06.05a, The Standard of Good Practice for Information Security)
  • Wireless access should be protected using layers of Access Control, including device authentication (e.g., Extensible Authentication Protocol-Transport Layer Security). (CF.09.06.05b, The Standard of Good Practice for Information Security)
  • Wireless access should be protected using layers of Access Control, including user authentication. (CF.09.06.05c, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for controlling wireless access to the network, which cover methods of limiting access to authorized users. (CF.09.06.02b, The Standard of Good Practice for Information Security, 2013)
  • Wireless access should be protected using layers of Access Control, including Network Access Control (e.g., IEEE 802.1X). (CF.09.06.05a, The Standard of Good Practice for Information Security, 2013)
  • Wireless access should be protected using layers of Access Control, including device authentication (e.g., Extensible Authentication Protocol-Transport Layer Security). (CF.09.06.05b, The Standard of Good Practice for Information Security, 2013)
  • Wireless access should be protected using layers of Access Control, including user authentication. (CF.09.06.05c, The Standard of Good Practice for Information Security, 2013)
  • Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS), which provide credential protection and mutual authentication. (Control 15.6, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should verify wireless networks use authentication protocols to provide mutual authentication and credential protection. (Critical Control 7.10, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should verify wireless clients use strong, multifactor authentication credentials. (Critical Control 7.11, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Two-factor authentication is required to be used for all remote login access. (Critical Control 13.7, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS) that requires mutual, multi-factor authentication. (CIS Control 15: Sub-Control 15.8 Use Wireless Authentication Protocols that Require Mutual, Multi-Factor Authentication, CIS Controls, 7.1)
  • Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS) that requires mutual, multi-factor authentication. (CIS Control 15: Sub-Control 15.8 Use Wireless Authentication Protocols that Require Mutual, Multi-Factor Authentication, CIS Controls, V7)
  • The network device shall provide the capability to uniquely identify and authenticate all users (humans, software processes or devices) engaged in wireless communication. (15.2.3 (1) ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. (AC-18(1) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. (AC-18(1) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Wireless systems should use strong authentication methods for the identification and authentication of WLAN users. WLAN systems must use IEEE 802.1x authentication with EAP-TLS. WiMax systems should use two-factor authentication at the device and network level. Examine the WLAN system to verify that… (§ 3.2 (WIR0240), § 4.2 (WIR0240), § 4.2 (WIR0378), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • Protect wireless access using authentication and encryption. (AC.3.012, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Protect wireless access using authentication and encryption. (AC.3.012, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Protect wireless access using authentication and encryption. (AC.3.012, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Protect wireless access using authentication and encryption. (AC.L2-3.1.17 Wireless Access Protection, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Use advanced authentication or CSO approved compensating controls as per Section 5.13.7.2.1. (§ 5.13.3 ¶ 1(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Use advanced authentication or CSO approved compensating controls as per Section 5.13.7.2.1. (§ 5.13.3 ¶ 1 3., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. (AC-18(1) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system protects wireless access to the system using authentication of [Selection(one or more): users; devices] and encryption. (AC-18(1) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Protect wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. (AC-18(1) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Protect wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. (AC-18(1) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Protect wireless access to the system using authentication of both users and devices and encryption. (AC-18 (CE-1): Authentication and Encryption:, Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Does the Credit Union use additional forms of authentication for improving the security of the client or Access Point authentication process? (IT - WLANS Q 17, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Protect wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. (AC-18(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Protect wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. (AC-18(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • WLAN connectivity should require a two-factor authentication method. (Table 8-1 Item 9, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • Mutual authentication should be used in order to verify the legitimacy of all devices on the network. Vulnerabilities should be minimized by implementing strong authentication mechanisms. (Table 4-2 Item 16, Table 4-2 Item 21, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
  • The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. (AC-18(1) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. (AC-18(1) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Protect wireless access to the system using authentication and encryption. (03.01.16 d., NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)
  • Protect wireless access using authentication and encryption. (3.1.17, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Protect wireless access using authentication and encryption. (3.1.17, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Protect wireless access using authentication and encryption. (3.1.17, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization should utilize authentication and encryption for wireless system access. (App F § AC-18(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should authenticate a device before a remote and wireless network connection that uses bidirectional authentication between cryptographically-based devices is established. (App F § IA-3(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The information system protects wireless access to the system using authentication of {users} and encryption. (AC-18(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system protects wireless access to the system using authentication of {devices} and encryption. (AC-18(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets {organizationally documented strength of mechanism requirements}. (IA-2(11), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system protects wireless access to the system using authentication of {users} and encryption. (AC-18(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system protects wireless access to the system using authentication of {devices} and encryption. (AC-18(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets {organizationally documented strength of mechanism requirements}. (IA-2(11), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system protects wireless access to the system using authentication of {users} and encryption. (AC-18(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system protects wireless access to the system using authentication of {devices} and encryption. (AC-18(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets {organizationally documented strength of mechanism requirements}. (IA-2(11), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. (AC-18(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. (AC-18(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. (AC-18(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Protect wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. (AC-18(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Protect wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. (AC-18(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Administration and network management of WLAN infrastructure equipment requires strong authentication and encryption of all communication. If an organization uses Simple Network Management Protocol (SNMP) to manage its equipment, it shall use SNMPv3. Use SSL/TLS or an equivalent protection (e.g., IP… (INITIATION ¶ 3, Standard 643S1: Wireless Networks, 643S1-00)
  • The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. (AC-18(1) ¶ 1, TX-RAMP Security Controls Baseline Level 2)